Thursday, 1 January 2015

The Bug Bounty List - Bug Hunting

I started finding serious security issues and vulnerabilities back in 1998. Back then the community was so immature that I was getting so much grief every time I was trying to explain what I had found. The common response was "why did you check our system/application", "who told you to alter the input", "this was not suppose to happen, you broke it", "the others don't know to do this; why did you do it" and all sort of similar discussions. Unfortunately, back then they weren't any bug bounty or recognition programs for the poor security enthusiast like myself.

I am glad to see that the community starts becoming more mature and understands how valuable can be for a business the discovery of a security issue or a vulnerability by a "white hacker". I am also glad there are bug bounty programs out there which reward security researcher and security enthusiasts who discover security issues.

However, I believe that bug bounty programs should have predefined rate of rewards, which will also specify a minimum and a maximum reward. Otherwise, companies might start taking advantage of the security researchers while paying peanuts for discovering serious security vulnerabilities. Also, it will help the security community to hunt vulnerabilities in a lot more systems that only focusing on high profile bug bounty programs (e.g. Facebook, Amazon, Microsoft, Google, etc.)

An interesting site I came across is an aggregation site [1] which lists all the bug bounty programs it can find. So, if you feel like you want a challenge, you may either look for bug bounty programs online yourself or go check the list on When you go bug hunting you need to be aware of the rules, the terms and the conditions that apply in each case. Every bug bounty program has its own disclosure policy which separates the men from the boys more or less. In other words you need to bug-hunt responsibly. For example, test the systems which are in scope for the bug hunting program and stay within scope. Reporting that you can DDoS the service, or brute force a login screen wont get you anywhere if the engagement guidelines specify that these attacks are not part of the assessment. Make sure you report the vulnerability according to the their guidelines and reporting template, while you make sure the steps you describe can be replicated by them for verification.

As an example, take a look at the Airbnb disclosure policy which is very straightforward but it specifically excludes two domains from their bug bounty program.

If you're a security expert or researcher and you believe you've discovered a security-related issue with Airbnb’s online systems - except and - we appreciate your help in disclosing the issue to us responsibly.
We ask the security research community to give us an opportunity to correct a vulnerability before publicly disclosing it. Please email us at with a detailed description of the issue and the steps you believe may be required to reproduce what you have observed. Please make a good faith effort to protect our users’ privacy and data. We are committed to addressing security issues responsibly and in a timely manner.

I hope you find this blog post interesting and informative on how you think when it comes to bug bounty programs. Keep in mind that it doesn't matter if you find a vulnerability before someone else, or your way is much "cooler", if you haven't follow the engagement guidelines, the disclosure policy and the reporting templates along with all the details on how one can reproduce what you found.

Happy Bug-Hunting!


No comments:

Post a Comment